Mitigating Supply Chain Risk: Component Security is Not Enough

The Challenge: Supply Chains are a National Security Vulnerability

As the United States has grown increasingly reliant on global supply chains, there has been renewed interest in their security. Because of the way supply chains developed globally over time, they are now more vulnerable to deliberate, malevolent interference, and more general trade disruption. These concerns have been exacerbated by the coronavirus pandemic. In addition, the definition of security for supply chains has also become quite broad, now including an array of concerns ranging from operational and financial security to cybersecurity and counterintelligence. Tolerance for supply-chain risks is decreasing as producers are recognizing the global complexity of supply chains, their fragility, and the increasing tensions with China. These characteristics create vulnerabilities and opportunities for blended attacks. The Department of Defense faces an operational imperative to build an integrated risk approach that addresses the blended vulnerabilities in supply chains.

Currently, most defense systems have hardware and software from multiple subprime vendors, and the focus has been on ensuring the provenance and security of each individual component. This approach rests on the assumption that secure individual components create secure overall products. But this assumption fails to account for larger integration challenges, which add an exponential level of complexity to any product or platform. A perfectly secure component can be compromised during assembly, especially if there are software-interface requirements introduced through programming and testing. In addition, the interfaces themselves can be compromised. Depending on what decisions were made earlier in a component’s or system’s life cycle, a compromise may not be detectable or corrected. New methods are required to address these challenges.

The Solution: A New Approach to Risk Integration for Defense Systems

To ensure supply-chain risk does not grow into a greater national security risk, a change in thinking is needed in the way major defense projects manage risk. For that to happen the federal government must propose, and Congress must pass, legislation that would shift a portion of responsibility for supply-chain risk to integrators—the prime vendors responsible for integrating complete products and systems—requiring these critical actors to ensure operational security of defense systems.

While the defense sector is not the only part of the U.S. economy subject to supply-chain risk, it is a good place to start in addressing vulnerabilities. The stakes in defense are high enough to overcome resistance to change, and defense and acquisitions processes are highly complex, presenting an opportunity to develop reforms that can be adapted to simpler contexts. Moreover, the defense budget is big enough to affect critical markets, helping spur second-order reforms. The federal government also has broad authority to act in matters regarding the defense sector.

This effort can build on recent positive developments. For example, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) holds defense-industrial base (DIB) vendors accountable for cybersecurity. However, the CMMC lacks methods for holistically and systematically analyzing the security posture of the DIB. Even with the CMMC, questions remain over accountability, authority, and responsibility for the cybersecurity of the DIB and the government. Therefore, new legislation should resolve these questions by making prime vendors accountable for the overall security of each defense system for which they are under contract. Furthermore, the DIB should be required to do so by adopting a “system-engineering model” for risk that identifies the dependencies and interdependencies of relevant components and demonstrates that the integrated risks have been addressed.

Such a shift in the approach to supply-chain risk would require action across the Department of Defense, involving efforts in science and technology, research and development, and policy development. It would have even bigger implications for the defense-industrial base and its relationship with the Department of Defense. To work, the legislation would require two key components.

First, legislation should incentivize this shift in how system risk is managed. For example, financial instruments, tax incentives, insurance, and litigation all drive corporate behavior. A bond-like instrument and/or a bonus-like structure could hold capital for an appropriate amount of time after full-rate production and release it once the program risks are fully understood. The appropriate time would be determined based on the size, scale, and complexity of the program. This would give the research communities and government time to understand supply-chain and system integration risk management throughout the entire process.

Second, the government needs the capability to assess technical system integration and supply-chain risk. Therefore, a third-party technical-integration risk-assessment organization should undertake holistic system-engineering assessments to advise the acquisition, security, and intelligence communities in meeting their responsibilities. This organization could be led by a federally funded research and development center or university-affiliated research center acting as a trusted agent and would need to combine testing and evaluation with operational validation and verification at scale. It would need to be staffed with the appropriate level of critical expertise to provide an unbiased assessment.

These requirements would need to be fully funded, and the effort would carry a total cost of several billion dollars. But the long-term savings from more streamlined risk management practices— along with the benefits to national security—make this a small price to pay.

This solution would mitigate the risk of products and systems being developed that have major vulnerabilities, such as open test ports, open interfaces, and a lack of appropriate encryption levels. In the worst case, prime vendors make completely closed systems, which constrains the ability to continuously update those systems to minimize risk. Conversely, by incentivizing secure acquisition approaches such as resiliency, virtualization, containerization, and encryption, the federal government can support more secure practices that would benefit the government and the vendors. This approach would produce appropriately open, but secure, systems that can be rapidly upgraded (software and hardware) based on newly discovered vulnerabilities or threat actions.

Conclusion

Implementing such a fundamental change in supply-chain risk management requires strong and determined leadership. Current efforts focused on securing individual hardware and software components are not delivering supply-chain security— they are simply delivering component security. Bold action toward an integrated risk approach is needed for ensuring the security of the United States’ critical defense systems.

Download the full report »

^{Photo Credit: Travel mania / Shutterstock}

Edward Cardon is a senior counselor at the Cohen Group. He previously served as head of Army Cyber Command.

Harvey Rishikof is director of Policy and Cyber Security Research at the Applied Research Laboratory for Intelligence and Security at the University of Maryland. He previously served as senior policy advisor to the director of national counterintelligence at the Office of the Director of National Intelligence.

Thomas Hedberg is an associate research engineer with the Applied Research Laboratory for Intelligence and Security at the University of Maryland.